Developing Key Risk Indicators to Strengthen Enterprise Risk Management – Introduction – Boards of directors have become increasingly aware of their responsibilities related to effective oversight of management’s execution of enterprise-wide risk management processes. This is due, in part, to significant external pressures that have developed recently that are thrusting risk management and its oversight to the forefront of many board agendas and management action plans. For example, the New York Stock Exchange in 2004 adopted governance rules that require audit committees of NYSE-listed firms to oversee management’s risk oversight processes.

In 2008, Standard & Poor’s began explicitly evaluating an issuer’s enterprise risk management (ERM) processes in seventeen new industries, as an additional component of their credit ratings analysis. In 2009, the Securities and Exchange Commission (SEC) expanded proxy disclosure requirements to increase information for investors about the board’s role in risk oversight. The 2010 Federal Financial Reform legislation now mandates risk committees for boards of financial institutions and other entities overseen by the Federal Reserve.

Many organizations are embracing an enterprise-wide approach to risk oversight known as enterprise risk anagement (ERM) and executive management teams leading these efforts are turning to frameworks, such as COSO’s 2004 Enterprise Risk Management – Integrated Framework (COSO ERM Framework), to aid them in strengthening their enterprise-wide risk management processes.

COSO’s ERM Framework defines ERM as follows:

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

As indicated by this definition, ERM provides the opportunity for organizational leaders to achieve a robust and holistic enterprise-wide view of potential events that may affect the achievement of the organization’s objectives. Because risks are constantly evolving as an organization strives to achieve its objectives, there is a high demand for relevant and timely risk information.

Many organizations are seeking to develop a process that provides management and the board of directors with rich information about potential events that may affect the entity, especially top risk exposures, that they can monitor on an ongoing basis. While most organizations monitor numerous key performance indicators (KPIs), often those indicators shed insights about risk events that have already affected the organization. Increasingly, boards and senior executives are looking to develop metrics or indicators to help to better monitor potential future shifts in risk conditions or new emerging risks so that management and boards are able to more proactively identify potential impacts on the organization’s portfolio of risks. Doing so enables management and the board to be in a better position to manage events that may arise in the future on a more timely and strategic basis. This latter type of metric or indicator is frequently referred to as a key risk indicator (KRI).

The purpose of this thought paper is to help management develop effective key risk indicators (KRIs) to heighten board and management enterprise risk awareness in order to increase the effectiveness of an ERM process and improve the execution of an organization’s strategy.

www.coso.org

How Key Risk Indicators can Sharpen Focus on Emerging Risks =

http://www.coso.org/documents/COSOKRIPaperFull-FINALforWebPostingDec110.pdf